Question posted in 
I’m using Firebase Auth for my web app.
What I need from that service is user database and all things related to that. Easy implementation of different providers.
Thou I have few doubts and web implementation.
Why passwordHash is returned for user logging with email + pwd? There’s no clear instruction how to disable that. I really would like to avoid sending password – even in hash form no more than needed – which is initial login – then we use JWT right?
I really find it troubling to get my passwordHash whenever https://identitytoolkit.googleapis.com/v1/accounts:lookup is called for session check
Beside, I don’t want to know user displaynames, almost anything.
Yet, there’s no telling to Firebase to not send them back nor send them to me. I can ignore, but I’d prefer to avoid that, cause privacy policy is harder because of that.
2
Answers
As I understand this, you’re trying to prevent your web app from ever having access to the displayname and the passwordHash as you are concerned about collecting additional data as far as your privacy policy is concerned.
Regarding the passwordHash, there is no significant security concern with your own web app having access to it: The hash itself is impractical to break with any reasonably strong password (hashed + salted, so even if your site is compromised, it would take time to brute force). In addition, if your site is compromised, the passwordHash is the least of your concerns: The user needs to enter their password into your site anyways.
As far as the Privacy Policy goes, if a party you contract (like Firebase) collects the data, it is frequently as if you collected the data. Quite simply, you have access to the displayName whether you want it or not (even if you could turn it off in Firebase you could still turn it back on).
Basically, what you’re asking for isn’t possible. Your service is collecting emails, displayNames, and has authentication data, and there is no way to ignore that functionality. That said, accounts is a very widespread feature everywhere, so writing a privacy policy to include accounts is common, and should be expected.
There are two ways to invoke the account lookup REST API. From the docs:
To the first one is when the request is done by the app user themselves, while the second one is done by an administrator of the account. In the latter case, the API returns more information, including (according to this doc):
From how I read this, the password hash is only returned when you access the API with OAuth2 credentials that have administrative access to the project. It should not be present when you call the API with credentials for a regular Firebase Authentication user. If that is not the behavior you see in your usage, please edit your question to include a minimal repro.
A common use-case for using this API as an admin is to export the users to a different system, in which case the password hash (and the salt) is actually a key part of the necessary information.
If you’re looking to share the information for multiple users for a different type of use-case, you will either have to filter the data that you return from your API or (my preferred approach) store the minimal data that you want to make more broadly available in a separate system, such as the Firestore database.